Re: [tlug] Blocking bad sshd bruteforce attempt

[Joe Larabell <fred62@???>]

> All I had to changed is
>
> log { source(a_src); filter(f_anticrack); destination(d_anticrack); };

I have completely re-written my syslog-ng.conf so I may have changed the
name of the source. As you probably figured out (but just for the archive),
you want to set it to the name assigned to the source of your messages.

> It just works. Because it sits in /root i.e, only root can read the
> script, do you think we have another reasons other than "paranoid" to
> make an C version for your script?

It *should* be safe. But if there is any way for someone to manipulate the
log message in such a way as to pass something tainted to the script, it
could cause trouble. I only know it's generally not recommended to process
user-controllable information with a script running as root.

Like, for example, some security bug where someone could do this:

  login: '`exit: rm /`'

and have it end up passed to the script via the syslog. I dunno... you're
probably safe. It might be more of a problem if local users could get to
the system.

> I am working remote now so it is not the right time to restart the
> firewall.

Oops... Been there, done that. When it works, it works. But if you goof
the script, you're hosed. At first I was also worried about locking myself
out by mistyping my user name or something like that. But, so far, I
haven't had a problem. After the first slip-up I'm extra careful.

> My website get 15000 hit per day. Robot like Yahoo or Google knock my
> web server every 1 second but I never seen any hit from webshot. Maybe
> I am so lucky :D.

Holy smokes... I've never seen that much activity here, hacking or
otherwise. Then again, the web sites on my personal machine are not
really public. I keep my public stuff on a professionally-maintained
server ;-)...

The webshots.com thing is odd. I can't imagine the IP to which the domain
resolves would be dynamic. And there would be little point trying to port
scan and/or hack into the system with a forged IP, as the packets would
never come back (maybe DDOS?). So it's possible some server used by the
webshots.com site has been hacked and they don't know it. All I know is
that several times, at intervals months apart, the webshots.com IP shows
up in my SHITLIST. Interesting...

---
Joseph L (Joe) Larabell            Never fight with a dragon
http://larabell.org                     for thou art crunchy
                                  and goest well with cheese.